Comments on: howto://use TMG 2010 as the Exchange edge transport server

By: Ed Fisher

Ed Fisher — Tue, 06 Mar 2012 05:23:13 +0000

David, see this article on considerations when upgrading from Exchange 2007 to 2010 and then this checklist for the step by steps. You might also run ExDeploy to get a more tailored guide. As far as your settings, blacklists and whitelists are stored in AD, but specific configurations will need to be recorded from the 2007 FPE server and recreated on the 2010 Edge, and of course you will have to subscribe your new Edge server to the hub transport server in the nearest site. HTH Ed

By: David

David — Sun, 04 Mar 2012 07:34:56 +0000

Appreciated for your prompt response!. In one of client, we plan to upgrade exchange edge server 2007/ (FPE) to edge server 2010+TMG+FPE.

Could you please give me some best practices to go head with this

If i install the edge server 2010+TMG in DMZ, how the existing anti spam and other settings will replicate to the new edge 2010 server+TMG+FPE.

Please guide me

Warmest regards,
David

By: Ed Fisher

Ed Fisher — Sun, 04 Mar 2012 00:48:03 +0000

The advantage is only in minimizing your server count. If you can afford more servers/need more for performance, use separate boxes. Edge and TMG give you IPS and anti-spam, but you need FPE for anti-malware.

By: Ed Fisher

Ed Fisher — Sun, 04 Mar 2012 00:46:26 +0000

Ford vs Chevy. If you haven’t installed anything yet, follow the technet article. If you have already installed TMG, follow mine.
Either way gets you to the same place.

By: David

David — Sat, 03 Mar 2012 19:09:09 +0000

I have one more question, you recommend to install the
1)TMG,2)edge and then 3)FPE.

but in the below link , MS recommend to install 1)EDGE 2)FPE and 3)TMG

http://technet.microsoft.com/nl-nl/library/ee207141%28en-us%29.aspx

Please clarify
Thanks
David

By: David

David — Sat, 03 Mar 2012 18:26:40 +0000

Hi ED,

Thanks for posting such a wonderful article!! congrats!

What is the main advantage to have TMG,EDGE and FPE on the same server? All 3 have anti spam features but FPE has additional virus scanning features.

Could you please explain ellaborate to get understand better

Warmest regards,
David

By: Ed Fisher

Ed Fisher — Mon, 13 Feb 2012 19:13:08 +0000

You’re welcome!

By: Wes

Wes — Mon, 13 Feb 2012 18:48:36 +0000

The how-to regarding TMG 2010 and the Edge Transport Role was exactly what I was looking for. Thank you so much for your efforts.

By: jerome

jerome — Sat, 11 Feb 2012 07:37:47 +0000

Very appreciate and thank you for your replied. I have convince my supervisor have 2 NICs installed on TMG server. My TMG server is located at DMZ network and other then policy rules allowing SMTP traffic through the exchange edge server must be enabled during e-Mail policy setup, what other protocol is it require to add and allow pass through? My proxy server configure in internal network.

By: Ed Fisher

Ed Fisher — Fri, 10 Feb 2012 20:16:48 +0000

Depends on how the internal NIC is configured. If it is on one of those networks the routing is implicit, but the other won’t be reachable until you add it to the routing table with the next hop gateway.
Ed

By: Ed Fisher

Ed Fisher — Fri, 10 Feb 2012 20:15:37 +0000

With only one NIC, TMG is just a proxy and cannot do the content inspection and IPS work. I really urge you to deploy with two NICs and route traffic through the TMG to get the most out of it.
Ed

By: jerome

jerome — Fri, 10 Feb 2012 06:42:04 +0000

hello, one more question. TMG server will be deploy on DMZ network 176.23.x.x and connected to internal network 10.x.x.x and 192.168.x.x it is these routing table entries require enter during the installation of the TMG firewall? what if i didnt enter these entries , my email still able to flow in from external to internal user? Thanks.

By: jerome

jerome — Fri, 10 Feb 2012 04:31:28 +0000

Hi Guys, thank you for your reply. i have question here. my server will be setup in DMZ network. i have read articles through and i know that it is recommended to have 2 NICs configure to connect to the internal and external. what if configure only with 1 NICs in a single server running Edge + TMG + FPE? what is the pros and cons?

By: JRV

JRV — Thu, 02 Feb 2012 18:06:32 +0000

Adding to Ed’s comment, MS has done a good job of integrating EX Edge, TMG & FPE, making it about as painless a mail hygiene solution as you could hope for. And it’s the only anti-spam I’m aware of that’s integrated with Outlook’s Safe Senders List, making it easy for users to manage their own whitelists. Unless you’re already invested in another mail hygiene product and can’t or don’t want to change, definitely use Edge + TMG + FPE.

By: Ed Fisher

Ed Fisher — Thu, 02 Feb 2012 17:56:35 +0000

TMG email protection works fine by itself, but it does not have all the functionality of Forefront Protection for Exchange (FPE.) If you want the full anti-X capabilities, you will want to install FPE. For example, TMG will protect your email servers from attacks against email services, but does not protect your users from malware within an email. See this and this for details. If you only want to protect your servers, TMG is enough. If you want to protect your users, you want FPE or other third party anti-x solution. Ed